CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6097 – Absolute Path Traversal Vulnerability
https://notcve.org/view.php?id=CVE-2024-6097
12 Feb 2025 — In Progress® Telerik® Reporting versions prior to 2025 Q1 (19.0.25.211), information disclosure is possible by a local threat actor through an absolute path vulnerability. • https://docs.telerik.com/reporting/knowledge-base/kb-security-absolute-path-traversal-CVE-2024-6097 • CWE-36: Absolute Path Traversal •
CVSS: 8.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-11626
https://notcve.org/view.php?id=CVE-2024-11626
07 Jan 2025 — Improper Neutralization of Input During CMS Backend (adminstrative section) Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Progress Sitefinity.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400 through 15.2.8421. Vulnerabilidad de neutralización incorrecta de la entrada durante la generación de páginas web del backend de CMS (sección administrativa) (XSS o 'Cross-site Scripting') en Progress Site... • https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-11625-and-CVE-2024-11626-January-2025 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.7EPSS: 0%CPEs: 4EXPL: 0CVE-2024-11625
https://notcve.org/view.php?id=CVE-2024-11625
07 Jan 2025 — Information Exposure Through an Error Message vulnerability in Progress Software Corporation Sitefinity.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400 through 15.2.8421. Vulnerabilidad de exposición de información a través de un mensaje de error en Sitefinity de Progress Software Corporation. Este problema afecta a Sitefinity: desde la versión 4.0 hasta la 14.4.8142, desde la versión 15.0.8200 hasta la 15.0.8229, ... • https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-11625-and-CVE-2024-11626-January-2025 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12105 – WhatsUp Gold - SnmpExtendedActiveMonitor path traversal
https://notcve.org/view.php?id=CVE-2024-12105
31 Dec 2024 — In WhatsUp Gold versions released before 2024.0.2, an authenticated user can use a specially crafted HTTP request that can lead to information disclosure. In WhatsUp Gold versions released before 2024.0.2, an authenticated user can use a specially crafted HTTP request that can lead to information disclosure. • https://www.progress.com/network-monitoring • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.7EPSS: 4%CPEs: 1EXPL: 0CVE-2024-12106 – WhatsUp Gold - LDAP configuration interface leading to allowing attacker to configure LDAP settings without authentication
https://notcve.org/view.php?id=CVE-2024-12106
31 Dec 2024 — In WhatsUp Gold versions released before 2024.0.2, an unauthenticated attacker can configure LDAP settings. In WhatsUp Gold versions released before 2024.0.2, an unauthenticated attacker can configure LDAP settings. • https://www.progress.com/network-monitoring • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.6EPSS: 2%CPEs: 1EXPL: 0CVE-2024-12108 – WhatsUp Gold - Public API signing key rotation issue
https://notcve.org/view.php?id=CVE-2024-12108
31 Dec 2024 — In WhatsUp Gold versions released before 2024.0.2, an attacker can gain access to the WhatsUp Gold server via the public API. • https://www.progress.com/network-monitoring • CWE-290: Authentication Bypass by Spoofing •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8785 – WhatsUp Gold Registry Overwrite Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2024-8785
02 Dec 2024 — In WhatsUp Gold versions released before 2024.0.1, a remote unauthenticated attacker could leverage NmAPI.exe to create or change an existing registry value in registry path HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Ipswitch\. In WhatsUp Gold versions released before 2024.0.1, a remote unauthenticated attacker could leverage NmAPI.exe to create or change an existing registry value in registry path HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Ipswitch\. • https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-September-2024 • CWE-648: Incorrect Use of Privileged APIs •
CVSS: 10.0EPSS: 3%CPEs: 1EXPL: 0CVE-2024-46909 – WhatsUp Gold WriteDataFile Directory Traversal Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2024-46909
02 Dec 2024 — In WhatsUp Gold versions released before 2024.0.1, a remote unauthenticated attacker could leverage this vulnerability to execute code in the context of the service account. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Progress Software WhatsUp Gold. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the WriteDataFile method. The issue results from the lack of proper validation of a user-sup... • https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-September-2024 • CWE-16: Configuration CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-73: External Control of File Name or Path •
CVSS: 9.0EPSS: 5%CPEs: 1EXPL: 0CVE-2024-46905 – WhatsUp Gold GetOrderByClause SQL Injection Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2024-46905
02 Dec 2024 — In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated lower-privileged user (at least Network Manager permissions required) to achieve privilege escalation to the admin account. This vulnerability allows remote attackers to escalate privileges on affected installations of Progress Software WhatsUp Gold. Authentication is required to exploit this vulnerability. The specific flaw exists within the implementation of the GetOrderByClause method. The issue resul... • https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-September-2024 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 5%CPEs: 1EXPL: 0CVE-2024-46906 – WhatsUp Gold GetSqlWhereClause SQL Injection Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2024-46906
02 Dec 2024 — In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account. This vulnerability allows remote attackers to escalate privileges on affected installations of Progress Software WhatsUp Gold. Authentication is required to exploit this vulnerability. The specific flaw exists within the implementation of the GetSqlWhereClause method. The issue results ... • https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-September-2024 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •